I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

SIP trunking and how to handle them. Check out the rest of the series (see box below) for essential information on SIP vs. PRI, selecting a SIP trunking provider, how to enable your legacy equipment, how to calculate how much VoIP bandwidth you'll need for SIP trunking services, and the advantages of SIP trunking.

As with most technologies, SIP trunking also has security concerns, which consist mainly of toll fraud. Hackers are unlikely to launch a successful attack against a legacy telephone system and gain access to it. With SIP-based systems, however, attacks can be directed at IP addresses belonging to the telephony system and are more likely to find ways to penetrate it to make international calls.

SIP trunk security encompasses a number of different issues. To address them, most security vendors prefer a layered approach to provide an effective way of isolating and protecting the telephony system and the communications path to the SIP service provider. The layered approach avoids placing the whole security solution into a single box, which means a single firewall shouldn't be used to try to protect the whole infrastructure, even though that approach is common.

Of course, vendors are also responsible for many toll fraud incidents because their systems are either buggy or are configured with a default mechanism that would help protect against toll fraud.

Here are some tips to help identify which areas of SIP security need to be changed or redesigned to help avoid unpleasant surprises.

Ensure complex passwords for your SIP trunk: SIP trunk providers require authentication in order to allow incoming and outgoing calls from the SIP trunk. Make sure complex passwords are used for the authentication process to your SIP provider.

Limit access to the telephony system: Only specific people from specific locations should have access to the telephony system. In most cases, the telephony system is incorrectly placed on the same network and virtual LAN (VLAN) as other network traffic. Always ensure your telephony systems are isolated in a separate VLAN and that the correct VLAN security policies are in effect. Check out Firewall.cx'sVLAN Security article for more information.

Avoid port forwarding: The easiest and most dangerous method of getting a SIP trunk with your provider is to port forward the necessary ports (TCP/UDP 5060 & 5061) from your router/firewall directly to the telephony system. Port forwarding is extremely dangerous and can expose critical parts of your network to the public.

Make use of intrusion detection systems (IDS): IDSes help detect and mitigate attacks to your systems. Make sure a correctly configured IDS is in place to monitor all communications with your SIP provider. The IDS should automatically alert the administrator when attacks are in progress.

Lock your SIP trunk against toll-fraud access: Ensure some type of secret number must be entered before international calls can be made. This is a simple, but very effective, way to limit toll fraud on international calls.

Accept SIP traffic only from your SIP provider: Block traffic from all external sources except your SIP provider. This will help limit access to your telephony system and minimize chances of unauthorized access.

Encrypt SIP traffic with TLS and RTP: Transport Layer Security (TLS) can be used for signaling encryption (SIP TCP) and authentication, while Real Transport Protocol (RTP) can be used for media encryption. While TLS and RTP provide a serious level of encryption, they must be supported by both the telephony system and the SIP trunk provider.

Update and patch your security systems: Keeping security systems up to date is very important, especially when IDSes, intrusion prevention systems (IPSes) and firewall systems are involved. This helps take care of any bugs, exploits and security holes that have been discovered and published by your security vendor.

Always backup your systems: No matter how simple or complex your telephony and network security systems are, always make sure you have a valid and recent backup.

When it comes to network security, you can never be secure enough when connected to the Internet. Keeping your company and communication channels secure from the large range of attacks and dangers lurking out there (Internet) is an ongoing daily effort.

Join the conversation

1 comment

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Your password has been sent to:

Please create a username to comment.

Some others:- Not using the standard port 5060, this needs to be coordinated with the carrier or other end but can prevent problems as this is a standard port that is scanned hundreds of times a week looking for potential target.- Real-time monitoring, see what is going on in real-time (or even near real-time) to prevent end of month bill shock. This should include threshold monitoring of number of calls, maximum cost of calls per day/hour, time of day monitoring (most fraud happens over night, weekends, or holidays), and destinations (do all extensions really need to be able to call Cuba/Afghanistan/Palestine/etc. ?)- Use white lists rather than blacklists, block everything and only allow in the IP of your carrier, known address of authorized phones (off-site employees/offices/partners). If you block something that is needed you will hear about it and can add it but you will be protected from many of the hacks out there. - Remember NAT is not a form of security, these days scanning all IP addresses takes no effort for those doing the hacks as it is automatic and can be done via BOTs.